Trust, but verify -- better yet: Trust, but contain!

img_2014-09-23_Ars-Technica

NEWS

Hackers recently compromised Home Depot’s data, exposing as many as 52 million credit card transactions. Commentators quickly jumped on the story, reporting that the company had suffered from lax cybersecurity standards for years and ignored repeated warnings of potential vulnerabilities. Now, ArsTechnica reports that their Home Depot’s Senior Architect for IT Security, Ricky Joe Mitchell, had been convicted of sabotaging the network of a former employer.

This added layer of complexity throws light on a question that many companies and users do not often consider: Whom are we trusting when we defer to internal IT teams to keep our data safe?

Mitchell’s background and history were hardly a secret. His case was public record, stating that, following his termination, he had entered his former employer’s offices and disabled critical network equipment in addition to turning off the equipment’s cooling systems. This type of behavior was nothing new to Mitchell. At 17, he got expelled from school for introducing viruses to his school’s computer system. He sued for reinstatement and the case went all the way to the state Supreme Court.

As public record, these details were easily uncovered in a rudimentary pre-hire screening. And yet Home Depot hired Mitchell to oversee their IT Security operations.

Home Depot may not be alone. Earlier in the year, Code Spaces collapsed after a SysAdmin’s Amazon account was compromised either wilfully or maliciously, taking down all of the company’s data. And their customer’s data. The company is still offline. While the Code Spaces collapse may or may not have been internal sabotage, it does prompt a question: whom did they trust with their cybersecurity?

As more and more services convert to a browser-centered infrastructure, companies give their systems personnel more and more authority and autonomy. And as the complexity of the security needs grows, the gap between the technical cognoscenti and management widens.

At a certain point, the need for an IT security head who has the right level of knowledge and experience may be outweighing the red flags raised by that individual’s character or past performance.

All of which might be fine if we put checks and balances in place to ensure that they are abiding by company guidelines and acting in the company’s interest. All too often, however, these checks and balances are not in place.

Imagine for a moment that a financial services company hired employees for their skills and immediately gave them access to the company’s systems and the ability to conduct transactions without oversight. This would not happen because companies are highly attuned to financial risk and take appropriate precautions.

Today’s business is inextricably intertwined with technology and the internet. It’s time for us to place the same level of value on technological infrastructure as we do on financial data and financial systems. Here are three simple steps to start:

  1. Conduct background checks on all new hires, particularly those at a senior level;
  2. Develop and implement internal controls, even simple ones to restrict access and put checks and balances in place for technical changes;
  3. Closely control system access and permissions.  If your systems don’t allow restricted permissions, at a minimum conduct regular reviews of which accounts have access to what resources;
  4. Implement a central ‘kill switch’ to revoke access the moment an employee is terminated.

While Silo can’t help with the background checks, it is designed to make instating internal controls and restricting access as simple as a mouse click. And, with Silo, terminating an employee’s account takes less than a second.

As we have seen repeatedly in the rash of recent compromises, the greatest flaws in our security are not wholly technical. They are human. And we owe it to our customers, and ourselves, to put systems in place that keep us safe and ensure that control over IT infrastructure does not default to a single person. Because sometimes we don’t know whom we’re trusting with our safety.

Scott Petry - Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: News